Re: Cisco PIX Firewall (smtp content filtering hack)

["Jeffrey W. Baker" <jwbaker () ACM ORG>]

On Tue, 19 Sep 2000, Lisa Napier wrote:

> Hi,
>
> We have been working for some time to repair this defect.  We have a
> planned advisory to be posted next week.  We do not yet have fixed code to
> address this issue, but expect to shortly -- this is what typically holds
> up the advisory process, ensuring that we have a solution to the problem
> reported.
>
> Unfortunately this posting does not provide a workaround, nor any real
> assistance to customers attempting to protect themselves.
>
> We really appreciate prior notification.  We do work to get vulnerabilities
> fixed, and in fact were already working diligently on this one.

As a Cisco customer, I personally prefer to get notification as soon as
possible.  Cisco has known about this bug, but they haven't notified their
customers.  That is an example of stinky corporate non-ethics at
work.  We should be notified instantly whenever new security
vulnerabilities are discovered.  We always have one recourse and
workaround, which is to decommission our Pix firewalls until things are
fixed.  Of course, this isn't Cisco's preference, so they choose instead
to leave their customers in the field with equipment that has security
problems which are certain to be discovered by a third party and possibly
exploited.  I think this scenario has mostly played out in this case.

I wish vendors would get a clue and realize that their customers need
secuity information RIGHT NOW, not when a fix is available.  We must be
able to assess our own security situation and take action based on the
known risks.  If we don't know about the risks, we can't assess them.

Jeffrey Baker